Certificate Enrollment- and Signing Services for the Cloud. A behind-the-scenes presentation of a successful cooperation between

Similar documents
PKI is Alive and Well: The Symantec Managed PKI Service

AXIAD IDS CLOUD SOLUTION. Trusted User PKI, Trusted User Flexible Authentication & Trusted Infrastructure

QuoVadis Trustlink Schweiz AG Teufenerstrasse 11, 9000 St. Gallen

Indeed Card Management Smart card lifecycle management system

Identity Management as a Service

Venafi Platform. Architecture 1 Architecture Basic. Professional Services Venafi. All Rights Reserved.

KeyOne. Certification Authority

Adding value to your MS customers

Symantec Managed PKI. Integration Guide for AirWatch MDM Solution

Guide to Deploying VMware Workspace ONE. DEC 2017 VMware AirWatch 9.2 VMware Identity Manager 3.1

Symantec Managed PKI Overview. v8.15

Guide to Deploying VMware Workspace ONE. VMware Identity Manager VMware AirWatch 9.1

Identity and Authentication PKI Portfolio

MAESON MAHERRY. 3 Factor Authentication and what it means to business. Date: 21/10/2013

INFORMATION TECHNOLOGY COMMITTEE ESCB-PKI PROJECT

Who s Protecting Your Keys? August 2018

Certificate Enrollment for the Atlas Platform

Workspace ONE UEM Integration with OpenTrust CMS Mobile 2. VMware Workspace ONE UEM 1811

User Manual: SuisseID Signing Service by QuoVadis

User Manual: SuisseID Signing Service by QuoVadis

Guide to Deploying VMware Workspace ONE with VMware Identity Manager. SEP 2018 VMware Workspace ONE

SignCloud. Remote Digital Signature System

MobilePASS. Security Features SOFTWARE AUTHENTICATION SOLUTIONS. Contents

Certification Authority

VMware AirWatch Integration with OpenTrust CMS Mobile 2.0

Entrust Technical Integration Guide for Entrust Security Manager 7.1 SP3 and SafeNet Luna CA4

Windows Smart Card Logon Use Case

GLOBALPROTECT. Key Usage Scenarios and Benefits. Remote Access VPN Provides secure access to internal and cloud-based business applications

The Device Has Left the Building

SxS Authentication solution. - SXS

hidglobal.com HID ActivOne USER FRIENDLY STRONG AUTHENTICATION

UELMA Exploring Authentication Options Nov 4, 2011

Mobile Devices as Identity Carriers. Pre Conference Workshop October 14 th 2013

Integration Guide. SafeNet Authentication Client. Using SAC CBA for VMware Horizon 6 Client

VMware Identity Manager Administration

Encrypted containers for secure file transport

true-xtended Reporting for Azure Rights Management V1.1c

Cryptomathic Signer. Guillaume Forget. All rights reserved. Copyright Cryptomathic 2013

Integration Guide. SafeNet Authentication Client. Using SAC CBA with BitLocker

AirWatch Mobile Device Management

SafeNet MobilePKI for BlackBerry V1.2. Administration Guide

Designing and Managing a Windows Public Key Infrastructure

ENTRUST DATACARD DERIVED PIV CREDENTIAL SOLUTION

Use EMS to protect your mobile data and mobile app

What s New for Enterprise and Education ios 11, macos High Sierra 10.13, tvos 11, and deployment tools and services

TFS WorkstationControl White Paper

BlackVault Hardware Security Platform SECURE TRUSTED INTUITIVE. Cryptographic Appliances with Integrated Level 3+ Hardware Security Module

ForeScout Extended Module for VMware AirWatch MDM

Planning for and Managing Devices in the Enterprise: Enterprise Mobility Suite (EMS) & On- Premises Tools

Install and Issuing your first Full Feature Operator Card

VMware Enterprise Systems Connector Installation and Configuration. JULY 2018 VMware Identity Manager 3.2 VMware Identity Manager VMware AirWatch 9.

Enterprise Certificate Console. Simplified Control for Digital Certificates from the Cloud

Public. Atos Trustcenter. Server Certificates + Codesigning Certificates. Version 1.2

XenApp 5 Security Standards and Deployment Scenarios

SafeNet Securing Microsoft Solutions

Digital signatures: How it s done in PDF

G/On. G/On is available for Windows, MacOS and Linux (selected distributions).

The SafeNet Security System Version 3 Overview

70-742: Identity in Windows Server Course Overview

Planning for and Managing Devices in the Enterprise: Enterprise Mobility Suite (EMS) & On-Premises Tools

Transforming the Document Signing Process

Making the Case for Digital Signatures

TLS Client Certificate and Smart Card Logon

SafeNet Authentication Client

Jrsys Mobile Banking Solutions

PKI Credentialing Handbook

SafeNet Authentication Client

open.org Case study of XML based PKI management protocols. Tomas Gustavsson PrimeKey Solutions AB

Owner of the content within this article is Written by Marc Grote

SSL Certificates Certificate Policy (CP)

CERTIFICATE POLICY CIGNA PKI Certificates

Adobe Sign and 21 CFR Part 11

Single Sign-On Showdown

New Paradigms of Digital Identity:

SAS and F5 integration at F5 Networks. Updates for Version 11.6

PKI Services. Text PKI Definition. PKI Definition #1. Public Key Infrastructure. What Does A PKI Do? Public Key Infrastructures

NCP Exclusive Remote Access Management

Public Key Infrastructure PKI. National Digital Certification Center Information Technology Authority Sultanate of Oman

Sparta Systems TrackWise Digital Solution

A r c h i t e c t u r e & D e p l o y m e n t

WORKPLACE Data Leak Prevention: Keeping your sensitive out of the public domain. Frans Oudendorp Ronny de Jong

Open Mobile API The enabler of Mobile ID solutions. Alexander Summerer, Giesecke & Devrient 30th Oct. 2014

Thales e-security. Security Solutions. PosAm, 06th of May 2015 Robert Rüttgen

Planning for and Managing Devices in the Enterprise: Enterprise Management Suite (EMS) & On-Premises Tools

BioPassport TM Enterprise Server

ForeScout Extended Module for MaaS360

Arcot Universal Client SAFE-Compliant Digital Signatures

Symantec PKI Enterprise Gateway Deployment Guide. v8.15

Secure Login for SAP Single Sign-On Sizing Guide

Electronic and digital signatures in Adobe Sign for government.

KEY ARCHIVAL AND OCSP

Overview. Premium Data Sheet. DigitalPersona. DigitalPersona s Composite Authentication transforms the way IT

Windows 10. Tech Note. Open the Window to Endless Possibilities. Windows for the Enterprise. Universal App Experience

Next Generation Physical Access Control Systems A Smart Card Alliance Educational Institute Workshop

GlobalSign Enterprise Solutions

Endpoint Protection with DigitalPersona Pro

Sparta Systems Stratas Solution

Architecture 1 3. SecureToken. 32-bit microprocessor smart chip. Support onboard RSA key pair generation. Built-in advanced cryptographic functions

PROTECTED EXTENSIBLE AUTHENTICATION PROTOCOL

BlackBerry Dynamics Security White Paper. Version 1.6

Transcription:

Certificate Enrollment- and Signing Services for the Cloud A behind-the-scenes presentation of a successful cooperation between

Introduction Based on our experience and the request from the market we would like to introduce a possible solution of a certificate enrollment and a digital signature service in the cloud which could make your live easier This presentation is a behind-the-scenes look of trustworthy cloud service providers and will focus on the end user experience and particular security measures applied to the respective services

PKI as a Service Motivation Today, more and more internal systems and applications rely on certificates for securing communication channels and for authentication purposes. Installing and operating a PKI infrastructure however is challenging, especially if a high level of security is requested: Dedicated secured PKI systems with expensive hardware security modules (HSM) for protecting the CA keys Availability of the critical components and contingency plan Administration of the PKI and separation of roles Keeping track of issued and expiring certificates, auditing

PKI as a Service Solution PKI as a service enables automated issuance and management of certificates on Windows domain and non-domain joined Systems, Mac OS, Linux/Unix, ios, Android and Windows Mobile without the need to setup and operate a corporate PKI. Comprehensive cockpits and reports provide insight into the progress of certificate issuance processes or system states.

PKI as a Service Architecture Certificate Issuance: 1) Public CAs (Quovadis,...) 2) Internal CA (Microsoft CA) 3) True-Xtender RA (Cross-AD-Forest enrollment) Enterprise RA Officers Public CA true-xtender AutoEnroll PKI Microsoft CA Enrollment Interfaces: 1) MS CEP/CES Web Services 2) DCOM WCCE (Windows Client Cert. Enrollment) 3) SCEP (Simple Cert. Enrollment Protocol) Windows domain joined systems CES DCOM SCEP Windows non-domain joined systems Mac OS Linux / Unix Mobile devices / MDM

PKI as a Service Principles Service provider hosts and operates the PKI with appropriate security measures such as using a HSM for CA key protection Enrollment Connector component is installed on-prem Certificates are issued automatically using readily available enrollment APIs. Authentication and authorization of clients is handled with information available in the enterprise (AD, DB, IAM) Authentication of clients can be based on Kerberos or using other credentials for e.g. on-domain joined systems Optional archival of client keys takes place on-prem

PKI as a Service Cockpit and Reports Cert Profile 1 Cert Profile 2 Cert Profile 3 Cert Profile 4 Cert Profile 5 Cert Profile 6 Cert Profile 7 MSCA MSCA2 MSCA3 MSCA4 MSCA5 Cert Profile 1 Cert Profile 2 Cert Profile 3 Cert Profile 4 Cert Profile 5 Cert Profile 6 Cert Profile 7

PKI as a service Solution Challenges Only few components should be installed on-prem Different existing enrollment interfaces must be supported Multiple internal and external CAs must be supported Support for triggered updates without the need for user action (e.g. name change due to marriage) Key archival on-prem and secure key recovery processes Automatic lifecycle management, i.e. revocation of certificates issued to inactive users or computers Prevent enrollments going wild and inflicting costs

Signature as a service - Motivation Digital signatures are trending in B2B, B2C and C2B scenarios The legal requirements for qualified signatures are usually only met using Smart Cards Managing physical tokens in an enterprise environment can be challenging and also limits the usage scenarios

Signature as a service - Solution Signature as a service enables companies or individuals to easily apply advanced or qualified digital signatures without the need of installing or managing Smartcards or USB tokens. Apply digital signatures using any standard applications on Microsoft Windows (Office, Adobe Reader, etc.) Support strong authentication of users Private signature key is generated and used only in a certified Hardware Security Module located at the service provider Support digital signatures according to ZertES, ElDI-V, GeBüV, Adobe AATL, etc. and time stamping services.

Signature as a service - Architecture Gemalto SafeNet Authentication Service Quovadis Auth Service PKI Infrastructure Organisation Luna HSM true-sign-v Airlock true-sign Gemalto Keyon Quovadis

Signature as a service Client View Step 1 Authentication (once per session / hour)

Signature as a service - Authentication Strong two-factor authentication with PIN and generated passcode to verify identity of the caller Smartphone app or physical OTP token available for generating passcode Authentication is validated using a cloud based service

Signature as a service Client View Step 2 Authorization (caching configurable)

Signature as a service - Authorization Password for using the private key is independent of authentication password and only transmitted in an end-to-end encrypted message from the client to the signature service Operations with private key take only place on a certified HSM and require the correct password to be presented Too many tries with wrong password will delete the private key permanently

Signature as a service Solution Challenges Meet legal requirements for qualified signatures (e.g. authentication of the private key owner, ensuring that only the owner can authorize the use of the private key) Ensuring the security of the solution in corporate environments that break up TLS Limiting where the client can be used and which applications can create signatures Supporting all the different APIs on the client that applications use (CSP, KSP, PKCS#11) Supporting Terminal Services (RDP, Citrix) Scenarios

Signature as a service Advanced Use Cases Code Signing Security features in modern OS and applications allow restricting the execution of code, scripts and macros based on digital signatures Keeping the private key secure is very important and usually conflicts with the fact that more than one person and even automated build servers need to digitally sign the code The service shown can provide a secure solution for implementing this Use Case

Signature as a service Advanced Use Cases Clientless signing in workflows Since the signature is done on the HSM of the service provider, it is possible to integrate the signature solution into web based workflow systems (Depends on legal framework!) The workflow system prepares the data to be signed and redirects to a page hosted by the service provider which asks for the user credentials and creates the signature. The signature is then returned to the workflow provider using a redirection and can be embedded into the document.

Thank you for your attention Q&A

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback